Executive Signal
- DragonForce ransomware has deployed a Go-based backdoor routing C2 traffic through Microsoft Teams relay servers, blending malicious communications with legitimate collaboration traffic and defeating most network-layer detection.
- Microsoft Defender carries an unpatched zero-day (“RoguePlanet”) with public proof-of-concept code exploiting a race condition to achieve SYSTEM-level privileges on Windows. No patch is available.
- Joomla and LiteSpeed are under active exploitation, enabling arbitrary PHP code execution and root escalation on shared hosting servers. CISA has added the Joomla JCE plugin flaw to its Known Exploited Vulnerabilities catalog.
- 144 npm packages in the @mastra/* namespace are compromised following a contributor account hijack. Any organization building AI applications on the Mastra framework should treat affected dependencies as suspect.
Immediate Action Required
| Priority | Item | Action |
|---|---|---|
| 🔴 Critical | Joomla JCE Plugin — actively exploited, CISA KEV | Patch immediately; validate all Joomla instances for compromise indicators |
| 🔴 Critical | Joomla & LiteSpeed — arbitrary code execution, root escalation in the wild | Update to latest versions; audit shared hosting environments for exploitation signs |
| 🔴 Critical | Microsoft Defender “RoguePlanet” zero-day — public PoC, no patch available | Apply compensating controls; monitor Microsoft advisories for emergency patch; restrict local access on sensitive endpoints |
| 🔴 Critical | DragonForce ransomware / Teams C2 — active campaign | Baseline Teams relay traffic; validate EDR coverage; confirm ransomware response playbooks account for SaaS-based C2 |
| 🟠 High | @mastra/* npm packages — 144 packages compromised via account hijack | Audit all @mastra/* dependencies; pin known-good versions; scan build pipelines for compromise |
High-Impact Developments
DragonForce Ransomware Abuses Microsoft Teams for Command-and-Control
- What happened: DragonForce operators deployed a Go-based backdoor using Microsoft Teams relay servers as its C2 channel, blending malicious traffic with legitimate enterprise communications.
- Why it matters: Routing C2 through a trusted, broadly permitted SaaS platform defeats most network-layer controls and proxy inspection policies. This reflects operational maturity and a deliberate effort to exploit detection blind spots.
- Who should care: Enterprise security teams, SOC analysts, and IT operations — particularly where broad outbound access to Microsoft Teams infrastructure is permitted.
- Recommended action: Establish behavioral baselines for Teams relay traffic. Tune EDR telemetry for Go-based implant characteristics. Confirm ransomware playbooks account for C2 traversing trusted SaaS infrastructure.
- Confidence: High
- Search metadata: T1071.001, DragonForce, Microsoft Teams, ransomware, backdoor
RoguePlanet Zero-Day in Microsoft Defender — Public PoC, No Patch
- What happened: A zero-day in Microsoft Defender, disclosed approximately one week ago and named “RoguePlanet,” exploits a race condition to spawn a command prompt with SYSTEM privileges. Microsoft has confirmed it is working on a patch; none is available. Public proof-of-concept code is circulating.
- Why it matters: A weaponizable privilege escalation flaw in the endpoint security tool itself is a high-value target. Attackers with initial access can fully compromise a host while potentially impairing the tool meant to detect them. Public PoC compresses the exploitation window significantly.
- Who should care: Endpoint security teams, Windows operations, and SOC — any organization where Microsoft Defender is a primary endpoint control.
- Recommended action: Monitor Microsoft’s security advisory channel for an out-of-band patch. Apply least privilege to limit local access on sensitive systems. Validate that secondary detection layers are operational and not solely dependent on Defender.
- Confidence: High
- Search metadata: T1059, T1609, RoguePlanet, Microsoft Defender, Windows, zero-day, privilege escalation
Joomla JCE Plugin and LiteSpeed Vulnerabilities Under Active Exploitation
- What happened: Attackers are actively exploiting flaws in the Widget Factory Joomla Content Editor (JCE) plugin and LiteSpeed web server. Exploitation enables arbitrary PHP code execution and root privilege escalation on shared hosting servers. CISA has added the Joomla JCE flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by end of week.
- Why it matters: Shared hosting environments amplify blast radius — root access on one tenant can affect co-located sites. CISA KEV designation confirms active exploitation, not theoretical risk.
- Who should care: Web operations teams, hosting providers, and security teams managing public-facing Joomla or LiteSpeed infrastructure. Federal agencies face a hard deadline.
- Recommended action: Patch the JCE plugin and update LiteSpeed immediately. Review web server logs for exploitation indicators. Shared hosting operators should assess tenant isolation controls.
- Confidence: High
- Search metadata: T1190, T1059.002, T1068, Joomla, LiteSpeed, Widget Factory Joomla Content Editor (JCE) plugin, arbitrary code execution, privilege escalation, CISA, federal agencies, vulnerability exploitation
Supply Chain Attack Compromises 144 Mastra npm Packages (easy-day-js)
- What happened: A supply chain attack tracked as “easy-day-js” compromised 144 npm packages in the
@mastra/*namespace by hijacking a contributor account. Mastra is a widely used open-source JavaScript/TypeScript framework for building AI applications. - Why it matters: Account hijacking in open-source ecosystems is a low-cost, high-yield attack vector. Any organization that pulled affected
@mastra/*packages during the compromise window may have introduced malicious code into builds or production environments. The AI application focus increases the likelihood of sensitive data exposure in affected codebases. - Who should care: Development teams, AppSec, and supply chain owners — particularly those building AI-integrated applications on the Mastra framework.
- Recommended action: Audit
@mastra/*dependencies across all projects. Identify the compromise window and determine whether affected versions entered any builds. Enforce MFA on all package registry contributor accounts. Review SBOM practices. - Confidence: High
- Search metadata: T1136.002, T1078.004, T1041, npm, @mastra/*, easy-day-js, Mastra framework, supply chain attack, compromised account, AI applications, data exfiltration
Monitor Only
- No additional items from today’s feed warranted lower-priority treatment. All four clusters met the threshold for elevated action.
Analyst Observation
Three of four stories in this brief share a common thread: attackers abusing trusted infrastructure or trusted software channels — Microsoft Teams for ransomware C2, npm for supply chain insertion, and a security tool itself as the exploitation target. Detection strategies built around perimeter controls and known-bad signatures are structurally disadvantaged against this pattern.
The RoguePlanet situation warrants specific attention from security architects. A public PoC against your primary endpoint defense, with no vendor patch available, is an active exposure. Compensating controls and secondary detection layers need to be validated now.
Source Links
- Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack — https://www.securityweek.com/microsoft-teams-relay-servers-abused-in-dragonforce-ransomware-attack/
- CISA orders feds to patch max severity Joomla plugin flaw by Friday — https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday/
- Joomla, LiteSpeed Vulnerabilities Exploited in Attacks — https://www.securityweek.com/joomla-litespeed-vulnerabilities-exploited-in-attacks/
- Microsoft Working on Patch for ‘RoguePlanet’ Zero-Day — https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/
- Microsoft working on Defender patch for RoguePlanet zero-day — https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-defender-patch-for-rogueplanet-zero-day/
- 144 Mastra npm Packages Compromised via Hijacked Contributor Account — https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
Generated by DevSecOpsDadAttack cyber threat intelligence.
